Splunk Mission Control

Incident Type and Response Task not auto assigned to Incident- Is this a bug or did I not configure correctly?

mikerennie
Explorer

One of our alerts, CSIRT - Threat_Activity_Detection,  came in on 8/31 but did not auto assign the Incident Type  that I created (csirt - threat_activity_detection) and therefore the Response Template I created (CSIRT – Threat Activity Detection) for that Incident did not get assigned.  Is this a bug or did I not configure this properly?

Labels (1)
0 Karma

vthimmegowda
Splunk Employee
Splunk Employee

This is a bug on UX to provide option to update the same macro from all the incident types. 
Work around for this is to update macro `mc_assign_incident_type` . The query in the macro should account for all incident types. 
You can also update through the UI , like u were doing before. But the query should account for all incident types 

0 Karma

msayar
Splunk Employee
Splunk Employee
Hey Mike, does the Incident Type Matching Macro work when you use it in Search? Do you have permissions to see the Incident Type you created?
 
0 Karma

mikerennie
Explorer

Hey!  Thank you for reaching out.  I can view the incident type I created (csirt - threat_activity_detection) within Settings > Incident Types.  Regarding the  Incident Type Matching Macro, if I click on the link with the setting for the incident type I created ("Click here to check your macro in action"), I do get results.  FYI, the value in that box is 'eval incident_type = case( severity == "medium", "CSIRT - Threat_Activity_Detection")'

0 Karma

mikerennie
Explorer

Thoughts on this original issue?

msayar
Splunk Employee
Splunk Employee

Yup, it's a bug! Thanks for bringing it to our attention. We'll fix it in one of our next updates.

0 Karma

mikerennie
Explorer

In addition, I see that when I create an Incident Type, it changes the 'Incident Type Matching Macro' box value of all the others to be the same as the new one I created.

0 Karma

vthimmegowda
Splunk Employee
Splunk Employee

@mikerennie wrote:

In addition, I see that when I create an Incident Type, it changes the 'Incident Type Matching Macro' box value of all the others to be the same as the new one I created.


can you please attach a snapshot of what u see  ?

0 Karma

mikerennie
Explorer

Sure!

Between my two messages above, I created a new Incident Type called 'cyber threat intelligence' and created the value in the Incident Type Matching Macro box:

mikerennie_0-1662493613454.png

I now go into the other Incident Types I have (including the Default one) and it too now has the same values as the above:

mikerennie_2-1662493722137.png

 

 

 

0 Karma

kavitav
Splunk Employee
Splunk Employee

@mikerennie The Incident Type Matching Macro points to an overall macro which will determine incident type of the incident. This is to facilitate hierarchy of conditions across incident types. Therefore the query must define each incident type, not just the one being edited currently. We recognize that this is actually not intuitive in the current UI and will be working to update this. Thanks for calling it out! A sample is below:

eval incident_type=case(risk_event_count>20, "incident_type_1", urgency=="medium", "incident_type_2")



Let us know if this is helpful. Happy to jump on a call to talk more!

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 1 release of new security content via the ...

There's No Place Like Chrome and the Splunk Platform

Watch On DemandMalware. Risky Extensions. Data Exfiltration. End-users are increasingly reliant on browsers to ...

The Great Resilience Quest: 5th Leaderboard Update

The fifth leaderboard update for The Great Resilience Quest is out >> 🏆 Check out the ...